1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-or-later
2*4882a593Smuzhiyun /* Kerberos-based RxRPC security
3*4882a593Smuzhiyun *
4*4882a593Smuzhiyun * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5*4882a593Smuzhiyun * Written by David Howells (dhowells@redhat.com)
6*4882a593Smuzhiyun */
7*4882a593Smuzhiyun
8*4882a593Smuzhiyun #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9*4882a593Smuzhiyun
10*4882a593Smuzhiyun #include <crypto/skcipher.h>
11*4882a593Smuzhiyun #include <linux/module.h>
12*4882a593Smuzhiyun #include <linux/net.h>
13*4882a593Smuzhiyun #include <linux/skbuff.h>
14*4882a593Smuzhiyun #include <linux/udp.h>
15*4882a593Smuzhiyun #include <linux/scatterlist.h>
16*4882a593Smuzhiyun #include <linux/ctype.h>
17*4882a593Smuzhiyun #include <linux/slab.h>
18*4882a593Smuzhiyun #include <net/sock.h>
19*4882a593Smuzhiyun #include <net/af_rxrpc.h>
20*4882a593Smuzhiyun #include <keys/rxrpc-type.h>
21*4882a593Smuzhiyun #include "ar-internal.h"
22*4882a593Smuzhiyun
23*4882a593Smuzhiyun #define RXKAD_VERSION 2
24*4882a593Smuzhiyun #define MAXKRB5TICKETLEN 1024
25*4882a593Smuzhiyun #define RXKAD_TKT_TYPE_KERBEROS_V5 256
26*4882a593Smuzhiyun #define ANAME_SZ 40 /* size of authentication name */
27*4882a593Smuzhiyun #define INST_SZ 40 /* size of principal's instance */
28*4882a593Smuzhiyun #define REALM_SZ 40 /* size of principal's auth domain */
29*4882a593Smuzhiyun #define SNAME_SZ 40 /* size of service name */
30*4882a593Smuzhiyun
31*4882a593Smuzhiyun struct rxkad_level1_hdr {
32*4882a593Smuzhiyun __be32 data_size; /* true data size (excluding padding) */
33*4882a593Smuzhiyun };
34*4882a593Smuzhiyun
35*4882a593Smuzhiyun struct rxkad_level2_hdr {
36*4882a593Smuzhiyun __be32 data_size; /* true data size (excluding padding) */
37*4882a593Smuzhiyun __be32 checksum; /* decrypted data checksum */
38*4882a593Smuzhiyun };
39*4882a593Smuzhiyun
40*4882a593Smuzhiyun /*
41*4882a593Smuzhiyun * this holds a pinned cipher so that keventd doesn't get called by the cipher
42*4882a593Smuzhiyun * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
43*4882a593Smuzhiyun * packets
44*4882a593Smuzhiyun */
45*4882a593Smuzhiyun static struct crypto_sync_skcipher *rxkad_ci;
46*4882a593Smuzhiyun static struct skcipher_request *rxkad_ci_req;
47*4882a593Smuzhiyun static DEFINE_MUTEX(rxkad_ci_mutex);
48*4882a593Smuzhiyun
49*4882a593Smuzhiyun /*
50*4882a593Smuzhiyun * initialise connection security
51*4882a593Smuzhiyun */
rxkad_init_connection_security(struct rxrpc_connection * conn)52*4882a593Smuzhiyun static int rxkad_init_connection_security(struct rxrpc_connection *conn)
53*4882a593Smuzhiyun {
54*4882a593Smuzhiyun struct crypto_sync_skcipher *ci;
55*4882a593Smuzhiyun struct rxrpc_key_token *token;
56*4882a593Smuzhiyun int ret;
57*4882a593Smuzhiyun
58*4882a593Smuzhiyun _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
59*4882a593Smuzhiyun
60*4882a593Smuzhiyun token = conn->params.key->payload.data[0];
61*4882a593Smuzhiyun conn->security_ix = token->security_index;
62*4882a593Smuzhiyun
63*4882a593Smuzhiyun ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
64*4882a593Smuzhiyun if (IS_ERR(ci)) {
65*4882a593Smuzhiyun _debug("no cipher");
66*4882a593Smuzhiyun ret = PTR_ERR(ci);
67*4882a593Smuzhiyun goto error;
68*4882a593Smuzhiyun }
69*4882a593Smuzhiyun
70*4882a593Smuzhiyun if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
71*4882a593Smuzhiyun sizeof(token->kad->session_key)) < 0)
72*4882a593Smuzhiyun BUG();
73*4882a593Smuzhiyun
74*4882a593Smuzhiyun switch (conn->params.security_level) {
75*4882a593Smuzhiyun case RXRPC_SECURITY_PLAIN:
76*4882a593Smuzhiyun break;
77*4882a593Smuzhiyun case RXRPC_SECURITY_AUTH:
78*4882a593Smuzhiyun conn->size_align = 8;
79*4882a593Smuzhiyun conn->security_size = sizeof(struct rxkad_level1_hdr);
80*4882a593Smuzhiyun break;
81*4882a593Smuzhiyun case RXRPC_SECURITY_ENCRYPT:
82*4882a593Smuzhiyun conn->size_align = 8;
83*4882a593Smuzhiyun conn->security_size = sizeof(struct rxkad_level2_hdr);
84*4882a593Smuzhiyun break;
85*4882a593Smuzhiyun default:
86*4882a593Smuzhiyun ret = -EKEYREJECTED;
87*4882a593Smuzhiyun goto error;
88*4882a593Smuzhiyun }
89*4882a593Smuzhiyun
90*4882a593Smuzhiyun conn->cipher = ci;
91*4882a593Smuzhiyun ret = 0;
92*4882a593Smuzhiyun error:
93*4882a593Smuzhiyun _leave(" = %d", ret);
94*4882a593Smuzhiyun return ret;
95*4882a593Smuzhiyun }
96*4882a593Smuzhiyun
97*4882a593Smuzhiyun /*
98*4882a593Smuzhiyun * prime the encryption state with the invariant parts of a connection's
99*4882a593Smuzhiyun * description
100*4882a593Smuzhiyun */
rxkad_prime_packet_security(struct rxrpc_connection * conn)101*4882a593Smuzhiyun static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
102*4882a593Smuzhiyun {
103*4882a593Smuzhiyun struct skcipher_request *req;
104*4882a593Smuzhiyun struct rxrpc_key_token *token;
105*4882a593Smuzhiyun struct scatterlist sg;
106*4882a593Smuzhiyun struct rxrpc_crypt iv;
107*4882a593Smuzhiyun __be32 *tmpbuf;
108*4882a593Smuzhiyun size_t tmpsize = 4 * sizeof(__be32);
109*4882a593Smuzhiyun
110*4882a593Smuzhiyun _enter("");
111*4882a593Smuzhiyun
112*4882a593Smuzhiyun if (!conn->params.key)
113*4882a593Smuzhiyun return 0;
114*4882a593Smuzhiyun
115*4882a593Smuzhiyun tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
116*4882a593Smuzhiyun if (!tmpbuf)
117*4882a593Smuzhiyun return -ENOMEM;
118*4882a593Smuzhiyun
119*4882a593Smuzhiyun req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS);
120*4882a593Smuzhiyun if (!req) {
121*4882a593Smuzhiyun kfree(tmpbuf);
122*4882a593Smuzhiyun return -ENOMEM;
123*4882a593Smuzhiyun }
124*4882a593Smuzhiyun
125*4882a593Smuzhiyun token = conn->params.key->payload.data[0];
126*4882a593Smuzhiyun memcpy(&iv, token->kad->session_key, sizeof(iv));
127*4882a593Smuzhiyun
128*4882a593Smuzhiyun tmpbuf[0] = htonl(conn->proto.epoch);
129*4882a593Smuzhiyun tmpbuf[1] = htonl(conn->proto.cid);
130*4882a593Smuzhiyun tmpbuf[2] = 0;
131*4882a593Smuzhiyun tmpbuf[3] = htonl(conn->security_ix);
132*4882a593Smuzhiyun
133*4882a593Smuzhiyun sg_init_one(&sg, tmpbuf, tmpsize);
134*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, conn->cipher);
135*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
136*4882a593Smuzhiyun skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
137*4882a593Smuzhiyun crypto_skcipher_encrypt(req);
138*4882a593Smuzhiyun skcipher_request_free(req);
139*4882a593Smuzhiyun
140*4882a593Smuzhiyun memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
141*4882a593Smuzhiyun kfree(tmpbuf);
142*4882a593Smuzhiyun _leave(" = 0");
143*4882a593Smuzhiyun return 0;
144*4882a593Smuzhiyun }
145*4882a593Smuzhiyun
146*4882a593Smuzhiyun /*
147*4882a593Smuzhiyun * Allocate and prepare the crypto request on a call. For any particular call,
148*4882a593Smuzhiyun * this is called serially for the packets, so no lock should be necessary.
149*4882a593Smuzhiyun */
rxkad_get_call_crypto(struct rxrpc_call * call)150*4882a593Smuzhiyun static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
151*4882a593Smuzhiyun {
152*4882a593Smuzhiyun struct crypto_skcipher *tfm = &call->conn->cipher->base;
153*4882a593Smuzhiyun struct skcipher_request *cipher_req = call->cipher_req;
154*4882a593Smuzhiyun
155*4882a593Smuzhiyun if (!cipher_req) {
156*4882a593Smuzhiyun cipher_req = skcipher_request_alloc(tfm, GFP_NOFS);
157*4882a593Smuzhiyun if (!cipher_req)
158*4882a593Smuzhiyun return NULL;
159*4882a593Smuzhiyun call->cipher_req = cipher_req;
160*4882a593Smuzhiyun }
161*4882a593Smuzhiyun
162*4882a593Smuzhiyun return cipher_req;
163*4882a593Smuzhiyun }
164*4882a593Smuzhiyun
165*4882a593Smuzhiyun /*
166*4882a593Smuzhiyun * Clean up the crypto on a call.
167*4882a593Smuzhiyun */
rxkad_free_call_crypto(struct rxrpc_call * call)168*4882a593Smuzhiyun static void rxkad_free_call_crypto(struct rxrpc_call *call)
169*4882a593Smuzhiyun {
170*4882a593Smuzhiyun if (call->cipher_req)
171*4882a593Smuzhiyun skcipher_request_free(call->cipher_req);
172*4882a593Smuzhiyun call->cipher_req = NULL;
173*4882a593Smuzhiyun }
174*4882a593Smuzhiyun
175*4882a593Smuzhiyun /*
176*4882a593Smuzhiyun * partially encrypt a packet (level 1 security)
177*4882a593Smuzhiyun */
rxkad_secure_packet_auth(const struct rxrpc_call * call,struct sk_buff * skb,u32 data_size,void * sechdr,struct skcipher_request * req)178*4882a593Smuzhiyun static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
179*4882a593Smuzhiyun struct sk_buff *skb,
180*4882a593Smuzhiyun u32 data_size,
181*4882a593Smuzhiyun void *sechdr,
182*4882a593Smuzhiyun struct skcipher_request *req)
183*4882a593Smuzhiyun {
184*4882a593Smuzhiyun struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
185*4882a593Smuzhiyun struct rxkad_level1_hdr hdr;
186*4882a593Smuzhiyun struct rxrpc_crypt iv;
187*4882a593Smuzhiyun struct scatterlist sg;
188*4882a593Smuzhiyun u16 check;
189*4882a593Smuzhiyun
190*4882a593Smuzhiyun _enter("");
191*4882a593Smuzhiyun
192*4882a593Smuzhiyun check = sp->hdr.seq ^ call->call_id;
193*4882a593Smuzhiyun data_size |= (u32)check << 16;
194*4882a593Smuzhiyun
195*4882a593Smuzhiyun hdr.data_size = htonl(data_size);
196*4882a593Smuzhiyun memcpy(sechdr, &hdr, sizeof(hdr));
197*4882a593Smuzhiyun
198*4882a593Smuzhiyun /* start the encryption afresh */
199*4882a593Smuzhiyun memset(&iv, 0, sizeof(iv));
200*4882a593Smuzhiyun
201*4882a593Smuzhiyun sg_init_one(&sg, sechdr, 8);
202*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, call->conn->cipher);
203*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
204*4882a593Smuzhiyun skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
205*4882a593Smuzhiyun crypto_skcipher_encrypt(req);
206*4882a593Smuzhiyun skcipher_request_zero(req);
207*4882a593Smuzhiyun
208*4882a593Smuzhiyun _leave(" = 0");
209*4882a593Smuzhiyun return 0;
210*4882a593Smuzhiyun }
211*4882a593Smuzhiyun
212*4882a593Smuzhiyun /*
213*4882a593Smuzhiyun * wholly encrypt a packet (level 2 security)
214*4882a593Smuzhiyun */
rxkad_secure_packet_encrypt(const struct rxrpc_call * call,struct sk_buff * skb,u32 data_size,void * sechdr,struct skcipher_request * req)215*4882a593Smuzhiyun static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
216*4882a593Smuzhiyun struct sk_buff *skb,
217*4882a593Smuzhiyun u32 data_size,
218*4882a593Smuzhiyun void *sechdr,
219*4882a593Smuzhiyun struct skcipher_request *req)
220*4882a593Smuzhiyun {
221*4882a593Smuzhiyun const struct rxrpc_key_token *token;
222*4882a593Smuzhiyun struct rxkad_level2_hdr rxkhdr;
223*4882a593Smuzhiyun struct rxrpc_skb_priv *sp;
224*4882a593Smuzhiyun struct rxrpc_crypt iv;
225*4882a593Smuzhiyun struct scatterlist sg[16];
226*4882a593Smuzhiyun unsigned int len;
227*4882a593Smuzhiyun u16 check;
228*4882a593Smuzhiyun int err;
229*4882a593Smuzhiyun
230*4882a593Smuzhiyun sp = rxrpc_skb(skb);
231*4882a593Smuzhiyun
232*4882a593Smuzhiyun _enter("");
233*4882a593Smuzhiyun
234*4882a593Smuzhiyun check = sp->hdr.seq ^ call->call_id;
235*4882a593Smuzhiyun
236*4882a593Smuzhiyun rxkhdr.data_size = htonl(data_size | (u32)check << 16);
237*4882a593Smuzhiyun rxkhdr.checksum = 0;
238*4882a593Smuzhiyun memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
239*4882a593Smuzhiyun
240*4882a593Smuzhiyun /* encrypt from the session key */
241*4882a593Smuzhiyun token = call->conn->params.key->payload.data[0];
242*4882a593Smuzhiyun memcpy(&iv, token->kad->session_key, sizeof(iv));
243*4882a593Smuzhiyun
244*4882a593Smuzhiyun sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
245*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, call->conn->cipher);
246*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
247*4882a593Smuzhiyun skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
248*4882a593Smuzhiyun crypto_skcipher_encrypt(req);
249*4882a593Smuzhiyun
250*4882a593Smuzhiyun /* we want to encrypt the skbuff in-place */
251*4882a593Smuzhiyun err = -EMSGSIZE;
252*4882a593Smuzhiyun if (skb_shinfo(skb)->nr_frags > 16)
253*4882a593Smuzhiyun goto out;
254*4882a593Smuzhiyun
255*4882a593Smuzhiyun len = data_size + call->conn->size_align - 1;
256*4882a593Smuzhiyun len &= ~(call->conn->size_align - 1);
257*4882a593Smuzhiyun
258*4882a593Smuzhiyun sg_init_table(sg, ARRAY_SIZE(sg));
259*4882a593Smuzhiyun err = skb_to_sgvec(skb, sg, 0, len);
260*4882a593Smuzhiyun if (unlikely(err < 0))
261*4882a593Smuzhiyun goto out;
262*4882a593Smuzhiyun skcipher_request_set_crypt(req, sg, sg, len, iv.x);
263*4882a593Smuzhiyun crypto_skcipher_encrypt(req);
264*4882a593Smuzhiyun
265*4882a593Smuzhiyun _leave(" = 0");
266*4882a593Smuzhiyun err = 0;
267*4882a593Smuzhiyun
268*4882a593Smuzhiyun out:
269*4882a593Smuzhiyun skcipher_request_zero(req);
270*4882a593Smuzhiyun return err;
271*4882a593Smuzhiyun }
272*4882a593Smuzhiyun
273*4882a593Smuzhiyun /*
274*4882a593Smuzhiyun * checksum an RxRPC packet header
275*4882a593Smuzhiyun */
rxkad_secure_packet(struct rxrpc_call * call,struct sk_buff * skb,size_t data_size,void * sechdr)276*4882a593Smuzhiyun static int rxkad_secure_packet(struct rxrpc_call *call,
277*4882a593Smuzhiyun struct sk_buff *skb,
278*4882a593Smuzhiyun size_t data_size,
279*4882a593Smuzhiyun void *sechdr)
280*4882a593Smuzhiyun {
281*4882a593Smuzhiyun struct rxrpc_skb_priv *sp;
282*4882a593Smuzhiyun struct skcipher_request *req;
283*4882a593Smuzhiyun struct rxrpc_crypt iv;
284*4882a593Smuzhiyun struct scatterlist sg;
285*4882a593Smuzhiyun u32 x, y;
286*4882a593Smuzhiyun int ret;
287*4882a593Smuzhiyun
288*4882a593Smuzhiyun sp = rxrpc_skb(skb);
289*4882a593Smuzhiyun
290*4882a593Smuzhiyun _enter("{%d{%x}},{#%u},%zu,",
291*4882a593Smuzhiyun call->debug_id, key_serial(call->conn->params.key),
292*4882a593Smuzhiyun sp->hdr.seq, data_size);
293*4882a593Smuzhiyun
294*4882a593Smuzhiyun if (!call->conn->cipher)
295*4882a593Smuzhiyun return 0;
296*4882a593Smuzhiyun
297*4882a593Smuzhiyun ret = key_validate(call->conn->params.key);
298*4882a593Smuzhiyun if (ret < 0)
299*4882a593Smuzhiyun return ret;
300*4882a593Smuzhiyun
301*4882a593Smuzhiyun req = rxkad_get_call_crypto(call);
302*4882a593Smuzhiyun if (!req)
303*4882a593Smuzhiyun return -ENOMEM;
304*4882a593Smuzhiyun
305*4882a593Smuzhiyun /* continue encrypting from where we left off */
306*4882a593Smuzhiyun memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
307*4882a593Smuzhiyun
308*4882a593Smuzhiyun /* calculate the security checksum */
309*4882a593Smuzhiyun x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
310*4882a593Smuzhiyun x |= sp->hdr.seq & 0x3fffffff;
311*4882a593Smuzhiyun call->crypto_buf[0] = htonl(call->call_id);
312*4882a593Smuzhiyun call->crypto_buf[1] = htonl(x);
313*4882a593Smuzhiyun
314*4882a593Smuzhiyun sg_init_one(&sg, call->crypto_buf, 8);
315*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, call->conn->cipher);
316*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
317*4882a593Smuzhiyun skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
318*4882a593Smuzhiyun crypto_skcipher_encrypt(req);
319*4882a593Smuzhiyun skcipher_request_zero(req);
320*4882a593Smuzhiyun
321*4882a593Smuzhiyun y = ntohl(call->crypto_buf[1]);
322*4882a593Smuzhiyun y = (y >> 16) & 0xffff;
323*4882a593Smuzhiyun if (y == 0)
324*4882a593Smuzhiyun y = 1; /* zero checksums are not permitted */
325*4882a593Smuzhiyun sp->hdr.cksum = y;
326*4882a593Smuzhiyun
327*4882a593Smuzhiyun switch (call->conn->params.security_level) {
328*4882a593Smuzhiyun case RXRPC_SECURITY_PLAIN:
329*4882a593Smuzhiyun ret = 0;
330*4882a593Smuzhiyun break;
331*4882a593Smuzhiyun case RXRPC_SECURITY_AUTH:
332*4882a593Smuzhiyun ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr,
333*4882a593Smuzhiyun req);
334*4882a593Smuzhiyun break;
335*4882a593Smuzhiyun case RXRPC_SECURITY_ENCRYPT:
336*4882a593Smuzhiyun ret = rxkad_secure_packet_encrypt(call, skb, data_size,
337*4882a593Smuzhiyun sechdr, req);
338*4882a593Smuzhiyun break;
339*4882a593Smuzhiyun default:
340*4882a593Smuzhiyun ret = -EPERM;
341*4882a593Smuzhiyun break;
342*4882a593Smuzhiyun }
343*4882a593Smuzhiyun
344*4882a593Smuzhiyun _leave(" = %d [set %hx]", ret, y);
345*4882a593Smuzhiyun return ret;
346*4882a593Smuzhiyun }
347*4882a593Smuzhiyun
348*4882a593Smuzhiyun /*
349*4882a593Smuzhiyun * decrypt partial encryption on a packet (level 1 security)
350*4882a593Smuzhiyun */
rxkad_verify_packet_1(struct rxrpc_call * call,struct sk_buff * skb,unsigned int offset,unsigned int len,rxrpc_seq_t seq,struct skcipher_request * req)351*4882a593Smuzhiyun static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
352*4882a593Smuzhiyun unsigned int offset, unsigned int len,
353*4882a593Smuzhiyun rxrpc_seq_t seq,
354*4882a593Smuzhiyun struct skcipher_request *req)
355*4882a593Smuzhiyun {
356*4882a593Smuzhiyun struct rxkad_level1_hdr sechdr;
357*4882a593Smuzhiyun struct rxrpc_crypt iv;
358*4882a593Smuzhiyun struct scatterlist sg[16];
359*4882a593Smuzhiyun bool aborted;
360*4882a593Smuzhiyun u32 data_size, buf;
361*4882a593Smuzhiyun u16 check;
362*4882a593Smuzhiyun int ret;
363*4882a593Smuzhiyun
364*4882a593Smuzhiyun _enter("");
365*4882a593Smuzhiyun
366*4882a593Smuzhiyun if (len < 8) {
367*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
368*4882a593Smuzhiyun RXKADSEALEDINCON);
369*4882a593Smuzhiyun goto protocol_error;
370*4882a593Smuzhiyun }
371*4882a593Smuzhiyun
372*4882a593Smuzhiyun /* Decrypt the skbuff in-place. TODO: We really want to decrypt
373*4882a593Smuzhiyun * directly into the target buffer.
374*4882a593Smuzhiyun */
375*4882a593Smuzhiyun sg_init_table(sg, ARRAY_SIZE(sg));
376*4882a593Smuzhiyun ret = skb_to_sgvec(skb, sg, offset, 8);
377*4882a593Smuzhiyun if (unlikely(ret < 0))
378*4882a593Smuzhiyun return ret;
379*4882a593Smuzhiyun
380*4882a593Smuzhiyun /* start the decryption afresh */
381*4882a593Smuzhiyun memset(&iv, 0, sizeof(iv));
382*4882a593Smuzhiyun
383*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, call->conn->cipher);
384*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
385*4882a593Smuzhiyun skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
386*4882a593Smuzhiyun crypto_skcipher_decrypt(req);
387*4882a593Smuzhiyun skcipher_request_zero(req);
388*4882a593Smuzhiyun
389*4882a593Smuzhiyun /* Extract the decrypted packet length */
390*4882a593Smuzhiyun if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
391*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
392*4882a593Smuzhiyun RXKADDATALEN);
393*4882a593Smuzhiyun goto protocol_error;
394*4882a593Smuzhiyun }
395*4882a593Smuzhiyun offset += sizeof(sechdr);
396*4882a593Smuzhiyun len -= sizeof(sechdr);
397*4882a593Smuzhiyun
398*4882a593Smuzhiyun buf = ntohl(sechdr.data_size);
399*4882a593Smuzhiyun data_size = buf & 0xffff;
400*4882a593Smuzhiyun
401*4882a593Smuzhiyun check = buf >> 16;
402*4882a593Smuzhiyun check ^= seq ^ call->call_id;
403*4882a593Smuzhiyun check &= 0xffff;
404*4882a593Smuzhiyun if (check != 0) {
405*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
406*4882a593Smuzhiyun RXKADSEALEDINCON);
407*4882a593Smuzhiyun goto protocol_error;
408*4882a593Smuzhiyun }
409*4882a593Smuzhiyun
410*4882a593Smuzhiyun if (data_size > len) {
411*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
412*4882a593Smuzhiyun RXKADDATALEN);
413*4882a593Smuzhiyun goto protocol_error;
414*4882a593Smuzhiyun }
415*4882a593Smuzhiyun
416*4882a593Smuzhiyun _leave(" = 0 [dlen=%x]", data_size);
417*4882a593Smuzhiyun return 0;
418*4882a593Smuzhiyun
419*4882a593Smuzhiyun protocol_error:
420*4882a593Smuzhiyun if (aborted)
421*4882a593Smuzhiyun rxrpc_send_abort_packet(call);
422*4882a593Smuzhiyun return -EPROTO;
423*4882a593Smuzhiyun }
424*4882a593Smuzhiyun
425*4882a593Smuzhiyun /*
426*4882a593Smuzhiyun * wholly decrypt a packet (level 2 security)
427*4882a593Smuzhiyun */
rxkad_verify_packet_2(struct rxrpc_call * call,struct sk_buff * skb,unsigned int offset,unsigned int len,rxrpc_seq_t seq,struct skcipher_request * req)428*4882a593Smuzhiyun static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
429*4882a593Smuzhiyun unsigned int offset, unsigned int len,
430*4882a593Smuzhiyun rxrpc_seq_t seq,
431*4882a593Smuzhiyun struct skcipher_request *req)
432*4882a593Smuzhiyun {
433*4882a593Smuzhiyun const struct rxrpc_key_token *token;
434*4882a593Smuzhiyun struct rxkad_level2_hdr sechdr;
435*4882a593Smuzhiyun struct rxrpc_crypt iv;
436*4882a593Smuzhiyun struct scatterlist _sg[4], *sg;
437*4882a593Smuzhiyun bool aborted;
438*4882a593Smuzhiyun u32 data_size, buf;
439*4882a593Smuzhiyun u16 check;
440*4882a593Smuzhiyun int nsg, ret;
441*4882a593Smuzhiyun
442*4882a593Smuzhiyun _enter(",{%d}", skb->len);
443*4882a593Smuzhiyun
444*4882a593Smuzhiyun if (len < 8) {
445*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
446*4882a593Smuzhiyun RXKADSEALEDINCON);
447*4882a593Smuzhiyun goto protocol_error;
448*4882a593Smuzhiyun }
449*4882a593Smuzhiyun
450*4882a593Smuzhiyun /* Decrypt the skbuff in-place. TODO: We really want to decrypt
451*4882a593Smuzhiyun * directly into the target buffer.
452*4882a593Smuzhiyun */
453*4882a593Smuzhiyun sg = _sg;
454*4882a593Smuzhiyun nsg = skb_shinfo(skb)->nr_frags + 1;
455*4882a593Smuzhiyun if (nsg <= 4) {
456*4882a593Smuzhiyun nsg = 4;
457*4882a593Smuzhiyun } else {
458*4882a593Smuzhiyun sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
459*4882a593Smuzhiyun if (!sg)
460*4882a593Smuzhiyun goto nomem;
461*4882a593Smuzhiyun }
462*4882a593Smuzhiyun
463*4882a593Smuzhiyun sg_init_table(sg, nsg);
464*4882a593Smuzhiyun ret = skb_to_sgvec(skb, sg, offset, len);
465*4882a593Smuzhiyun if (unlikely(ret < 0)) {
466*4882a593Smuzhiyun if (sg != _sg)
467*4882a593Smuzhiyun kfree(sg);
468*4882a593Smuzhiyun return ret;
469*4882a593Smuzhiyun }
470*4882a593Smuzhiyun
471*4882a593Smuzhiyun /* decrypt from the session key */
472*4882a593Smuzhiyun token = call->conn->params.key->payload.data[0];
473*4882a593Smuzhiyun memcpy(&iv, token->kad->session_key, sizeof(iv));
474*4882a593Smuzhiyun
475*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, call->conn->cipher);
476*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
477*4882a593Smuzhiyun skcipher_request_set_crypt(req, sg, sg, len, iv.x);
478*4882a593Smuzhiyun crypto_skcipher_decrypt(req);
479*4882a593Smuzhiyun skcipher_request_zero(req);
480*4882a593Smuzhiyun if (sg != _sg)
481*4882a593Smuzhiyun kfree(sg);
482*4882a593Smuzhiyun
483*4882a593Smuzhiyun /* Extract the decrypted packet length */
484*4882a593Smuzhiyun if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
485*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
486*4882a593Smuzhiyun RXKADDATALEN);
487*4882a593Smuzhiyun goto protocol_error;
488*4882a593Smuzhiyun }
489*4882a593Smuzhiyun offset += sizeof(sechdr);
490*4882a593Smuzhiyun len -= sizeof(sechdr);
491*4882a593Smuzhiyun
492*4882a593Smuzhiyun buf = ntohl(sechdr.data_size);
493*4882a593Smuzhiyun data_size = buf & 0xffff;
494*4882a593Smuzhiyun
495*4882a593Smuzhiyun check = buf >> 16;
496*4882a593Smuzhiyun check ^= seq ^ call->call_id;
497*4882a593Smuzhiyun check &= 0xffff;
498*4882a593Smuzhiyun if (check != 0) {
499*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
500*4882a593Smuzhiyun RXKADSEALEDINCON);
501*4882a593Smuzhiyun goto protocol_error;
502*4882a593Smuzhiyun }
503*4882a593Smuzhiyun
504*4882a593Smuzhiyun if (data_size > len) {
505*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
506*4882a593Smuzhiyun RXKADDATALEN);
507*4882a593Smuzhiyun goto protocol_error;
508*4882a593Smuzhiyun }
509*4882a593Smuzhiyun
510*4882a593Smuzhiyun _leave(" = 0 [dlen=%x]", data_size);
511*4882a593Smuzhiyun return 0;
512*4882a593Smuzhiyun
513*4882a593Smuzhiyun protocol_error:
514*4882a593Smuzhiyun if (aborted)
515*4882a593Smuzhiyun rxrpc_send_abort_packet(call);
516*4882a593Smuzhiyun return -EPROTO;
517*4882a593Smuzhiyun
518*4882a593Smuzhiyun nomem:
519*4882a593Smuzhiyun _leave(" = -ENOMEM");
520*4882a593Smuzhiyun return -ENOMEM;
521*4882a593Smuzhiyun }
522*4882a593Smuzhiyun
523*4882a593Smuzhiyun /*
524*4882a593Smuzhiyun * Verify the security on a received packet or subpacket (if part of a
525*4882a593Smuzhiyun * jumbo packet).
526*4882a593Smuzhiyun */
rxkad_verify_packet(struct rxrpc_call * call,struct sk_buff * skb,unsigned int offset,unsigned int len,rxrpc_seq_t seq,u16 expected_cksum)527*4882a593Smuzhiyun static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
528*4882a593Smuzhiyun unsigned int offset, unsigned int len,
529*4882a593Smuzhiyun rxrpc_seq_t seq, u16 expected_cksum)
530*4882a593Smuzhiyun {
531*4882a593Smuzhiyun struct skcipher_request *req;
532*4882a593Smuzhiyun struct rxrpc_crypt iv;
533*4882a593Smuzhiyun struct scatterlist sg;
534*4882a593Smuzhiyun bool aborted;
535*4882a593Smuzhiyun u16 cksum;
536*4882a593Smuzhiyun u32 x, y;
537*4882a593Smuzhiyun
538*4882a593Smuzhiyun _enter("{%d{%x}},{#%u}",
539*4882a593Smuzhiyun call->debug_id, key_serial(call->conn->params.key), seq);
540*4882a593Smuzhiyun
541*4882a593Smuzhiyun if (!call->conn->cipher)
542*4882a593Smuzhiyun return 0;
543*4882a593Smuzhiyun
544*4882a593Smuzhiyun req = rxkad_get_call_crypto(call);
545*4882a593Smuzhiyun if (!req)
546*4882a593Smuzhiyun return -ENOMEM;
547*4882a593Smuzhiyun
548*4882a593Smuzhiyun /* continue encrypting from where we left off */
549*4882a593Smuzhiyun memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
550*4882a593Smuzhiyun
551*4882a593Smuzhiyun /* validate the security checksum */
552*4882a593Smuzhiyun x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
553*4882a593Smuzhiyun x |= seq & 0x3fffffff;
554*4882a593Smuzhiyun call->crypto_buf[0] = htonl(call->call_id);
555*4882a593Smuzhiyun call->crypto_buf[1] = htonl(x);
556*4882a593Smuzhiyun
557*4882a593Smuzhiyun sg_init_one(&sg, call->crypto_buf, 8);
558*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, call->conn->cipher);
559*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
560*4882a593Smuzhiyun skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
561*4882a593Smuzhiyun crypto_skcipher_encrypt(req);
562*4882a593Smuzhiyun skcipher_request_zero(req);
563*4882a593Smuzhiyun
564*4882a593Smuzhiyun y = ntohl(call->crypto_buf[1]);
565*4882a593Smuzhiyun cksum = (y >> 16) & 0xffff;
566*4882a593Smuzhiyun if (cksum == 0)
567*4882a593Smuzhiyun cksum = 1; /* zero checksums are not permitted */
568*4882a593Smuzhiyun
569*4882a593Smuzhiyun if (cksum != expected_cksum) {
570*4882a593Smuzhiyun aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
571*4882a593Smuzhiyun RXKADSEALEDINCON);
572*4882a593Smuzhiyun goto protocol_error;
573*4882a593Smuzhiyun }
574*4882a593Smuzhiyun
575*4882a593Smuzhiyun switch (call->conn->params.security_level) {
576*4882a593Smuzhiyun case RXRPC_SECURITY_PLAIN:
577*4882a593Smuzhiyun return 0;
578*4882a593Smuzhiyun case RXRPC_SECURITY_AUTH:
579*4882a593Smuzhiyun return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
580*4882a593Smuzhiyun case RXRPC_SECURITY_ENCRYPT:
581*4882a593Smuzhiyun return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
582*4882a593Smuzhiyun default:
583*4882a593Smuzhiyun return -ENOANO;
584*4882a593Smuzhiyun }
585*4882a593Smuzhiyun
586*4882a593Smuzhiyun protocol_error:
587*4882a593Smuzhiyun if (aborted)
588*4882a593Smuzhiyun rxrpc_send_abort_packet(call);
589*4882a593Smuzhiyun return -EPROTO;
590*4882a593Smuzhiyun }
591*4882a593Smuzhiyun
592*4882a593Smuzhiyun /*
593*4882a593Smuzhiyun * Locate the data contained in a packet that was partially encrypted.
594*4882a593Smuzhiyun */
rxkad_locate_data_1(struct rxrpc_call * call,struct sk_buff * skb,unsigned int * _offset,unsigned int * _len)595*4882a593Smuzhiyun static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
596*4882a593Smuzhiyun unsigned int *_offset, unsigned int *_len)
597*4882a593Smuzhiyun {
598*4882a593Smuzhiyun struct rxkad_level1_hdr sechdr;
599*4882a593Smuzhiyun
600*4882a593Smuzhiyun if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
601*4882a593Smuzhiyun BUG();
602*4882a593Smuzhiyun *_offset += sizeof(sechdr);
603*4882a593Smuzhiyun *_len = ntohl(sechdr.data_size) & 0xffff;
604*4882a593Smuzhiyun }
605*4882a593Smuzhiyun
606*4882a593Smuzhiyun /*
607*4882a593Smuzhiyun * Locate the data contained in a packet that was completely encrypted.
608*4882a593Smuzhiyun */
rxkad_locate_data_2(struct rxrpc_call * call,struct sk_buff * skb,unsigned int * _offset,unsigned int * _len)609*4882a593Smuzhiyun static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
610*4882a593Smuzhiyun unsigned int *_offset, unsigned int *_len)
611*4882a593Smuzhiyun {
612*4882a593Smuzhiyun struct rxkad_level2_hdr sechdr;
613*4882a593Smuzhiyun
614*4882a593Smuzhiyun if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
615*4882a593Smuzhiyun BUG();
616*4882a593Smuzhiyun *_offset += sizeof(sechdr);
617*4882a593Smuzhiyun *_len = ntohl(sechdr.data_size) & 0xffff;
618*4882a593Smuzhiyun }
619*4882a593Smuzhiyun
620*4882a593Smuzhiyun /*
621*4882a593Smuzhiyun * Locate the data contained in an already decrypted packet.
622*4882a593Smuzhiyun */
rxkad_locate_data(struct rxrpc_call * call,struct sk_buff * skb,unsigned int * _offset,unsigned int * _len)623*4882a593Smuzhiyun static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
624*4882a593Smuzhiyun unsigned int *_offset, unsigned int *_len)
625*4882a593Smuzhiyun {
626*4882a593Smuzhiyun switch (call->conn->params.security_level) {
627*4882a593Smuzhiyun case RXRPC_SECURITY_AUTH:
628*4882a593Smuzhiyun rxkad_locate_data_1(call, skb, _offset, _len);
629*4882a593Smuzhiyun return;
630*4882a593Smuzhiyun case RXRPC_SECURITY_ENCRYPT:
631*4882a593Smuzhiyun rxkad_locate_data_2(call, skb, _offset, _len);
632*4882a593Smuzhiyun return;
633*4882a593Smuzhiyun default:
634*4882a593Smuzhiyun return;
635*4882a593Smuzhiyun }
636*4882a593Smuzhiyun }
637*4882a593Smuzhiyun
638*4882a593Smuzhiyun /*
639*4882a593Smuzhiyun * issue a challenge
640*4882a593Smuzhiyun */
rxkad_issue_challenge(struct rxrpc_connection * conn)641*4882a593Smuzhiyun static int rxkad_issue_challenge(struct rxrpc_connection *conn)
642*4882a593Smuzhiyun {
643*4882a593Smuzhiyun struct rxkad_challenge challenge;
644*4882a593Smuzhiyun struct rxrpc_wire_header whdr;
645*4882a593Smuzhiyun struct msghdr msg;
646*4882a593Smuzhiyun struct kvec iov[2];
647*4882a593Smuzhiyun size_t len;
648*4882a593Smuzhiyun u32 serial;
649*4882a593Smuzhiyun int ret;
650*4882a593Smuzhiyun
651*4882a593Smuzhiyun _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
652*4882a593Smuzhiyun
653*4882a593Smuzhiyun ret = key_validate(conn->server_key);
654*4882a593Smuzhiyun if (ret < 0)
655*4882a593Smuzhiyun return ret;
656*4882a593Smuzhiyun
657*4882a593Smuzhiyun get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
658*4882a593Smuzhiyun
659*4882a593Smuzhiyun challenge.version = htonl(2);
660*4882a593Smuzhiyun challenge.nonce = htonl(conn->security_nonce);
661*4882a593Smuzhiyun challenge.min_level = htonl(0);
662*4882a593Smuzhiyun challenge.__padding = 0;
663*4882a593Smuzhiyun
664*4882a593Smuzhiyun msg.msg_name = &conn->params.peer->srx.transport;
665*4882a593Smuzhiyun msg.msg_namelen = conn->params.peer->srx.transport_len;
666*4882a593Smuzhiyun msg.msg_control = NULL;
667*4882a593Smuzhiyun msg.msg_controllen = 0;
668*4882a593Smuzhiyun msg.msg_flags = 0;
669*4882a593Smuzhiyun
670*4882a593Smuzhiyun whdr.epoch = htonl(conn->proto.epoch);
671*4882a593Smuzhiyun whdr.cid = htonl(conn->proto.cid);
672*4882a593Smuzhiyun whdr.callNumber = 0;
673*4882a593Smuzhiyun whdr.seq = 0;
674*4882a593Smuzhiyun whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
675*4882a593Smuzhiyun whdr.flags = conn->out_clientflag;
676*4882a593Smuzhiyun whdr.userStatus = 0;
677*4882a593Smuzhiyun whdr.securityIndex = conn->security_ix;
678*4882a593Smuzhiyun whdr._rsvd = 0;
679*4882a593Smuzhiyun whdr.serviceId = htons(conn->service_id);
680*4882a593Smuzhiyun
681*4882a593Smuzhiyun iov[0].iov_base = &whdr;
682*4882a593Smuzhiyun iov[0].iov_len = sizeof(whdr);
683*4882a593Smuzhiyun iov[1].iov_base = &challenge;
684*4882a593Smuzhiyun iov[1].iov_len = sizeof(challenge);
685*4882a593Smuzhiyun
686*4882a593Smuzhiyun len = iov[0].iov_len + iov[1].iov_len;
687*4882a593Smuzhiyun
688*4882a593Smuzhiyun serial = atomic_inc_return(&conn->serial);
689*4882a593Smuzhiyun whdr.serial = htonl(serial);
690*4882a593Smuzhiyun _proto("Tx CHALLENGE %%%u", serial);
691*4882a593Smuzhiyun
692*4882a593Smuzhiyun ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
693*4882a593Smuzhiyun if (ret < 0) {
694*4882a593Smuzhiyun trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
695*4882a593Smuzhiyun rxrpc_tx_point_rxkad_challenge);
696*4882a593Smuzhiyun return -EAGAIN;
697*4882a593Smuzhiyun }
698*4882a593Smuzhiyun
699*4882a593Smuzhiyun conn->params.peer->last_tx_at = ktime_get_seconds();
700*4882a593Smuzhiyun trace_rxrpc_tx_packet(conn->debug_id, &whdr,
701*4882a593Smuzhiyun rxrpc_tx_point_rxkad_challenge);
702*4882a593Smuzhiyun _leave(" = 0");
703*4882a593Smuzhiyun return 0;
704*4882a593Smuzhiyun }
705*4882a593Smuzhiyun
706*4882a593Smuzhiyun /*
707*4882a593Smuzhiyun * send a Kerberos security response
708*4882a593Smuzhiyun */
rxkad_send_response(struct rxrpc_connection * conn,struct rxrpc_host_header * hdr,struct rxkad_response * resp,const struct rxkad_key * s2)709*4882a593Smuzhiyun static int rxkad_send_response(struct rxrpc_connection *conn,
710*4882a593Smuzhiyun struct rxrpc_host_header *hdr,
711*4882a593Smuzhiyun struct rxkad_response *resp,
712*4882a593Smuzhiyun const struct rxkad_key *s2)
713*4882a593Smuzhiyun {
714*4882a593Smuzhiyun struct rxrpc_wire_header whdr;
715*4882a593Smuzhiyun struct msghdr msg;
716*4882a593Smuzhiyun struct kvec iov[3];
717*4882a593Smuzhiyun size_t len;
718*4882a593Smuzhiyun u32 serial;
719*4882a593Smuzhiyun int ret;
720*4882a593Smuzhiyun
721*4882a593Smuzhiyun _enter("");
722*4882a593Smuzhiyun
723*4882a593Smuzhiyun msg.msg_name = &conn->params.peer->srx.transport;
724*4882a593Smuzhiyun msg.msg_namelen = conn->params.peer->srx.transport_len;
725*4882a593Smuzhiyun msg.msg_control = NULL;
726*4882a593Smuzhiyun msg.msg_controllen = 0;
727*4882a593Smuzhiyun msg.msg_flags = 0;
728*4882a593Smuzhiyun
729*4882a593Smuzhiyun memset(&whdr, 0, sizeof(whdr));
730*4882a593Smuzhiyun whdr.epoch = htonl(hdr->epoch);
731*4882a593Smuzhiyun whdr.cid = htonl(hdr->cid);
732*4882a593Smuzhiyun whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
733*4882a593Smuzhiyun whdr.flags = conn->out_clientflag;
734*4882a593Smuzhiyun whdr.securityIndex = hdr->securityIndex;
735*4882a593Smuzhiyun whdr.serviceId = htons(hdr->serviceId);
736*4882a593Smuzhiyun
737*4882a593Smuzhiyun iov[0].iov_base = &whdr;
738*4882a593Smuzhiyun iov[0].iov_len = sizeof(whdr);
739*4882a593Smuzhiyun iov[1].iov_base = resp;
740*4882a593Smuzhiyun iov[1].iov_len = sizeof(*resp);
741*4882a593Smuzhiyun iov[2].iov_base = (void *)s2->ticket;
742*4882a593Smuzhiyun iov[2].iov_len = s2->ticket_len;
743*4882a593Smuzhiyun
744*4882a593Smuzhiyun len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
745*4882a593Smuzhiyun
746*4882a593Smuzhiyun serial = atomic_inc_return(&conn->serial);
747*4882a593Smuzhiyun whdr.serial = htonl(serial);
748*4882a593Smuzhiyun _proto("Tx RESPONSE %%%u", serial);
749*4882a593Smuzhiyun
750*4882a593Smuzhiyun ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
751*4882a593Smuzhiyun if (ret < 0) {
752*4882a593Smuzhiyun trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
753*4882a593Smuzhiyun rxrpc_tx_point_rxkad_response);
754*4882a593Smuzhiyun return -EAGAIN;
755*4882a593Smuzhiyun }
756*4882a593Smuzhiyun
757*4882a593Smuzhiyun conn->params.peer->last_tx_at = ktime_get_seconds();
758*4882a593Smuzhiyun _leave(" = 0");
759*4882a593Smuzhiyun return 0;
760*4882a593Smuzhiyun }
761*4882a593Smuzhiyun
762*4882a593Smuzhiyun /*
763*4882a593Smuzhiyun * calculate the response checksum
764*4882a593Smuzhiyun */
rxkad_calc_response_checksum(struct rxkad_response * response)765*4882a593Smuzhiyun static void rxkad_calc_response_checksum(struct rxkad_response *response)
766*4882a593Smuzhiyun {
767*4882a593Smuzhiyun u32 csum = 1000003;
768*4882a593Smuzhiyun int loop;
769*4882a593Smuzhiyun u8 *p = (u8 *) response;
770*4882a593Smuzhiyun
771*4882a593Smuzhiyun for (loop = sizeof(*response); loop > 0; loop--)
772*4882a593Smuzhiyun csum = csum * 0x10204081 + *p++;
773*4882a593Smuzhiyun
774*4882a593Smuzhiyun response->encrypted.checksum = htonl(csum);
775*4882a593Smuzhiyun }
776*4882a593Smuzhiyun
777*4882a593Smuzhiyun /*
778*4882a593Smuzhiyun * encrypt the response packet
779*4882a593Smuzhiyun */
rxkad_encrypt_response(struct rxrpc_connection * conn,struct rxkad_response * resp,const struct rxkad_key * s2)780*4882a593Smuzhiyun static int rxkad_encrypt_response(struct rxrpc_connection *conn,
781*4882a593Smuzhiyun struct rxkad_response *resp,
782*4882a593Smuzhiyun const struct rxkad_key *s2)
783*4882a593Smuzhiyun {
784*4882a593Smuzhiyun struct skcipher_request *req;
785*4882a593Smuzhiyun struct rxrpc_crypt iv;
786*4882a593Smuzhiyun struct scatterlist sg[1];
787*4882a593Smuzhiyun
788*4882a593Smuzhiyun req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS);
789*4882a593Smuzhiyun if (!req)
790*4882a593Smuzhiyun return -ENOMEM;
791*4882a593Smuzhiyun
792*4882a593Smuzhiyun /* continue encrypting from where we left off */
793*4882a593Smuzhiyun memcpy(&iv, s2->session_key, sizeof(iv));
794*4882a593Smuzhiyun
795*4882a593Smuzhiyun sg_init_table(sg, 1);
796*4882a593Smuzhiyun sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
797*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, conn->cipher);
798*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
799*4882a593Smuzhiyun skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
800*4882a593Smuzhiyun crypto_skcipher_encrypt(req);
801*4882a593Smuzhiyun skcipher_request_free(req);
802*4882a593Smuzhiyun return 0;
803*4882a593Smuzhiyun }
804*4882a593Smuzhiyun
805*4882a593Smuzhiyun /*
806*4882a593Smuzhiyun * respond to a challenge packet
807*4882a593Smuzhiyun */
rxkad_respond_to_challenge(struct rxrpc_connection * conn,struct sk_buff * skb,u32 * _abort_code)808*4882a593Smuzhiyun static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
809*4882a593Smuzhiyun struct sk_buff *skb,
810*4882a593Smuzhiyun u32 *_abort_code)
811*4882a593Smuzhiyun {
812*4882a593Smuzhiyun const struct rxrpc_key_token *token;
813*4882a593Smuzhiyun struct rxkad_challenge challenge;
814*4882a593Smuzhiyun struct rxkad_response *resp;
815*4882a593Smuzhiyun struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
816*4882a593Smuzhiyun const char *eproto;
817*4882a593Smuzhiyun u32 version, nonce, min_level, abort_code;
818*4882a593Smuzhiyun int ret;
819*4882a593Smuzhiyun
820*4882a593Smuzhiyun _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
821*4882a593Smuzhiyun
822*4882a593Smuzhiyun eproto = tracepoint_string("chall_no_key");
823*4882a593Smuzhiyun abort_code = RX_PROTOCOL_ERROR;
824*4882a593Smuzhiyun if (!conn->params.key)
825*4882a593Smuzhiyun goto protocol_error;
826*4882a593Smuzhiyun
827*4882a593Smuzhiyun abort_code = RXKADEXPIRED;
828*4882a593Smuzhiyun ret = key_validate(conn->params.key);
829*4882a593Smuzhiyun if (ret < 0)
830*4882a593Smuzhiyun goto other_error;
831*4882a593Smuzhiyun
832*4882a593Smuzhiyun eproto = tracepoint_string("chall_short");
833*4882a593Smuzhiyun abort_code = RXKADPACKETSHORT;
834*4882a593Smuzhiyun if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
835*4882a593Smuzhiyun &challenge, sizeof(challenge)) < 0)
836*4882a593Smuzhiyun goto protocol_error;
837*4882a593Smuzhiyun
838*4882a593Smuzhiyun version = ntohl(challenge.version);
839*4882a593Smuzhiyun nonce = ntohl(challenge.nonce);
840*4882a593Smuzhiyun min_level = ntohl(challenge.min_level);
841*4882a593Smuzhiyun
842*4882a593Smuzhiyun _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
843*4882a593Smuzhiyun sp->hdr.serial, version, nonce, min_level);
844*4882a593Smuzhiyun
845*4882a593Smuzhiyun eproto = tracepoint_string("chall_ver");
846*4882a593Smuzhiyun abort_code = RXKADINCONSISTENCY;
847*4882a593Smuzhiyun if (version != RXKAD_VERSION)
848*4882a593Smuzhiyun goto protocol_error;
849*4882a593Smuzhiyun
850*4882a593Smuzhiyun abort_code = RXKADLEVELFAIL;
851*4882a593Smuzhiyun ret = -EACCES;
852*4882a593Smuzhiyun if (conn->params.security_level < min_level)
853*4882a593Smuzhiyun goto other_error;
854*4882a593Smuzhiyun
855*4882a593Smuzhiyun token = conn->params.key->payload.data[0];
856*4882a593Smuzhiyun
857*4882a593Smuzhiyun /* build the response packet */
858*4882a593Smuzhiyun resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
859*4882a593Smuzhiyun if (!resp)
860*4882a593Smuzhiyun return -ENOMEM;
861*4882a593Smuzhiyun
862*4882a593Smuzhiyun resp->version = htonl(RXKAD_VERSION);
863*4882a593Smuzhiyun resp->encrypted.epoch = htonl(conn->proto.epoch);
864*4882a593Smuzhiyun resp->encrypted.cid = htonl(conn->proto.cid);
865*4882a593Smuzhiyun resp->encrypted.securityIndex = htonl(conn->security_ix);
866*4882a593Smuzhiyun resp->encrypted.inc_nonce = htonl(nonce + 1);
867*4882a593Smuzhiyun resp->encrypted.level = htonl(conn->params.security_level);
868*4882a593Smuzhiyun resp->kvno = htonl(token->kad->kvno);
869*4882a593Smuzhiyun resp->ticket_len = htonl(token->kad->ticket_len);
870*4882a593Smuzhiyun resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
871*4882a593Smuzhiyun resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
872*4882a593Smuzhiyun resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
873*4882a593Smuzhiyun resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
874*4882a593Smuzhiyun
875*4882a593Smuzhiyun /* calculate the response checksum and then do the encryption */
876*4882a593Smuzhiyun rxkad_calc_response_checksum(resp);
877*4882a593Smuzhiyun ret = rxkad_encrypt_response(conn, resp, token->kad);
878*4882a593Smuzhiyun if (ret == 0)
879*4882a593Smuzhiyun ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
880*4882a593Smuzhiyun kfree(resp);
881*4882a593Smuzhiyun return ret;
882*4882a593Smuzhiyun
883*4882a593Smuzhiyun protocol_error:
884*4882a593Smuzhiyun trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
885*4882a593Smuzhiyun ret = -EPROTO;
886*4882a593Smuzhiyun other_error:
887*4882a593Smuzhiyun *_abort_code = abort_code;
888*4882a593Smuzhiyun return ret;
889*4882a593Smuzhiyun }
890*4882a593Smuzhiyun
891*4882a593Smuzhiyun /*
892*4882a593Smuzhiyun * decrypt the kerberos IV ticket in the response
893*4882a593Smuzhiyun */
rxkad_decrypt_ticket(struct rxrpc_connection * conn,struct sk_buff * skb,void * ticket,size_t ticket_len,struct rxrpc_crypt * _session_key,time64_t * _expiry,u32 * _abort_code)894*4882a593Smuzhiyun static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
895*4882a593Smuzhiyun struct sk_buff *skb,
896*4882a593Smuzhiyun void *ticket, size_t ticket_len,
897*4882a593Smuzhiyun struct rxrpc_crypt *_session_key,
898*4882a593Smuzhiyun time64_t *_expiry,
899*4882a593Smuzhiyun u32 *_abort_code)
900*4882a593Smuzhiyun {
901*4882a593Smuzhiyun struct skcipher_request *req;
902*4882a593Smuzhiyun struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
903*4882a593Smuzhiyun struct rxrpc_crypt iv, key;
904*4882a593Smuzhiyun struct scatterlist sg[1];
905*4882a593Smuzhiyun struct in_addr addr;
906*4882a593Smuzhiyun unsigned int life;
907*4882a593Smuzhiyun const char *eproto;
908*4882a593Smuzhiyun time64_t issue, now;
909*4882a593Smuzhiyun bool little_endian;
910*4882a593Smuzhiyun int ret;
911*4882a593Smuzhiyun u32 abort_code;
912*4882a593Smuzhiyun u8 *p, *q, *name, *end;
913*4882a593Smuzhiyun
914*4882a593Smuzhiyun _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
915*4882a593Smuzhiyun
916*4882a593Smuzhiyun *_expiry = 0;
917*4882a593Smuzhiyun
918*4882a593Smuzhiyun ret = key_validate(conn->server_key);
919*4882a593Smuzhiyun if (ret < 0) {
920*4882a593Smuzhiyun switch (ret) {
921*4882a593Smuzhiyun case -EKEYEXPIRED:
922*4882a593Smuzhiyun abort_code = RXKADEXPIRED;
923*4882a593Smuzhiyun goto other_error;
924*4882a593Smuzhiyun default:
925*4882a593Smuzhiyun abort_code = RXKADNOAUTH;
926*4882a593Smuzhiyun goto other_error;
927*4882a593Smuzhiyun }
928*4882a593Smuzhiyun }
929*4882a593Smuzhiyun
930*4882a593Smuzhiyun ASSERT(conn->server_key->payload.data[0] != NULL);
931*4882a593Smuzhiyun ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
932*4882a593Smuzhiyun
933*4882a593Smuzhiyun memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
934*4882a593Smuzhiyun
935*4882a593Smuzhiyun ret = -ENOMEM;
936*4882a593Smuzhiyun req = skcipher_request_alloc(conn->server_key->payload.data[0],
937*4882a593Smuzhiyun GFP_NOFS);
938*4882a593Smuzhiyun if (!req)
939*4882a593Smuzhiyun goto temporary_error;
940*4882a593Smuzhiyun
941*4882a593Smuzhiyun sg_init_one(&sg[0], ticket, ticket_len);
942*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
943*4882a593Smuzhiyun skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
944*4882a593Smuzhiyun crypto_skcipher_decrypt(req);
945*4882a593Smuzhiyun skcipher_request_free(req);
946*4882a593Smuzhiyun
947*4882a593Smuzhiyun p = ticket;
948*4882a593Smuzhiyun end = p + ticket_len;
949*4882a593Smuzhiyun
950*4882a593Smuzhiyun #define Z(field) \
951*4882a593Smuzhiyun ({ \
952*4882a593Smuzhiyun u8 *__str = p; \
953*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_bad_"#field); \
954*4882a593Smuzhiyun q = memchr(p, 0, end - p); \
955*4882a593Smuzhiyun if (!q || q - p > (field##_SZ)) \
956*4882a593Smuzhiyun goto bad_ticket; \
957*4882a593Smuzhiyun for (; p < q; p++) \
958*4882a593Smuzhiyun if (!isprint(*p)) \
959*4882a593Smuzhiyun goto bad_ticket; \
960*4882a593Smuzhiyun p++; \
961*4882a593Smuzhiyun __str; \
962*4882a593Smuzhiyun })
963*4882a593Smuzhiyun
964*4882a593Smuzhiyun /* extract the ticket flags */
965*4882a593Smuzhiyun _debug("KIV FLAGS: %x", *p);
966*4882a593Smuzhiyun little_endian = *p & 1;
967*4882a593Smuzhiyun p++;
968*4882a593Smuzhiyun
969*4882a593Smuzhiyun /* extract the authentication name */
970*4882a593Smuzhiyun name = Z(ANAME);
971*4882a593Smuzhiyun _debug("KIV ANAME: %s", name);
972*4882a593Smuzhiyun
973*4882a593Smuzhiyun /* extract the principal's instance */
974*4882a593Smuzhiyun name = Z(INST);
975*4882a593Smuzhiyun _debug("KIV INST : %s", name);
976*4882a593Smuzhiyun
977*4882a593Smuzhiyun /* extract the principal's authentication domain */
978*4882a593Smuzhiyun name = Z(REALM);
979*4882a593Smuzhiyun _debug("KIV REALM: %s", name);
980*4882a593Smuzhiyun
981*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_bad_len");
982*4882a593Smuzhiyun if (end - p < 4 + 8 + 4 + 2)
983*4882a593Smuzhiyun goto bad_ticket;
984*4882a593Smuzhiyun
985*4882a593Smuzhiyun /* get the IPv4 address of the entity that requested the ticket */
986*4882a593Smuzhiyun memcpy(&addr, p, sizeof(addr));
987*4882a593Smuzhiyun p += 4;
988*4882a593Smuzhiyun _debug("KIV ADDR : %pI4", &addr);
989*4882a593Smuzhiyun
990*4882a593Smuzhiyun /* get the session key from the ticket */
991*4882a593Smuzhiyun memcpy(&key, p, sizeof(key));
992*4882a593Smuzhiyun p += 8;
993*4882a593Smuzhiyun _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
994*4882a593Smuzhiyun memcpy(_session_key, &key, sizeof(key));
995*4882a593Smuzhiyun
996*4882a593Smuzhiyun /* get the ticket's lifetime */
997*4882a593Smuzhiyun life = *p++ * 5 * 60;
998*4882a593Smuzhiyun _debug("KIV LIFE : %u", life);
999*4882a593Smuzhiyun
1000*4882a593Smuzhiyun /* get the issue time of the ticket */
1001*4882a593Smuzhiyun if (little_endian) {
1002*4882a593Smuzhiyun __le32 stamp;
1003*4882a593Smuzhiyun memcpy(&stamp, p, 4);
1004*4882a593Smuzhiyun issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
1005*4882a593Smuzhiyun } else {
1006*4882a593Smuzhiyun __be32 stamp;
1007*4882a593Smuzhiyun memcpy(&stamp, p, 4);
1008*4882a593Smuzhiyun issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
1009*4882a593Smuzhiyun }
1010*4882a593Smuzhiyun p += 4;
1011*4882a593Smuzhiyun now = ktime_get_real_seconds();
1012*4882a593Smuzhiyun _debug("KIV ISSUE: %llx [%llx]", issue, now);
1013*4882a593Smuzhiyun
1014*4882a593Smuzhiyun /* check the ticket is in date */
1015*4882a593Smuzhiyun if (issue > now) {
1016*4882a593Smuzhiyun abort_code = RXKADNOAUTH;
1017*4882a593Smuzhiyun ret = -EKEYREJECTED;
1018*4882a593Smuzhiyun goto other_error;
1019*4882a593Smuzhiyun }
1020*4882a593Smuzhiyun
1021*4882a593Smuzhiyun if (issue < now - life) {
1022*4882a593Smuzhiyun abort_code = RXKADEXPIRED;
1023*4882a593Smuzhiyun ret = -EKEYEXPIRED;
1024*4882a593Smuzhiyun goto other_error;
1025*4882a593Smuzhiyun }
1026*4882a593Smuzhiyun
1027*4882a593Smuzhiyun *_expiry = issue + life;
1028*4882a593Smuzhiyun
1029*4882a593Smuzhiyun /* get the service name */
1030*4882a593Smuzhiyun name = Z(SNAME);
1031*4882a593Smuzhiyun _debug("KIV SNAME: %s", name);
1032*4882a593Smuzhiyun
1033*4882a593Smuzhiyun /* get the service instance name */
1034*4882a593Smuzhiyun name = Z(INST);
1035*4882a593Smuzhiyun _debug("KIV SINST: %s", name);
1036*4882a593Smuzhiyun return 0;
1037*4882a593Smuzhiyun
1038*4882a593Smuzhiyun bad_ticket:
1039*4882a593Smuzhiyun trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1040*4882a593Smuzhiyun abort_code = RXKADBADTICKET;
1041*4882a593Smuzhiyun ret = -EPROTO;
1042*4882a593Smuzhiyun other_error:
1043*4882a593Smuzhiyun *_abort_code = abort_code;
1044*4882a593Smuzhiyun return ret;
1045*4882a593Smuzhiyun temporary_error:
1046*4882a593Smuzhiyun return ret;
1047*4882a593Smuzhiyun }
1048*4882a593Smuzhiyun
1049*4882a593Smuzhiyun /*
1050*4882a593Smuzhiyun * decrypt the response packet
1051*4882a593Smuzhiyun */
rxkad_decrypt_response(struct rxrpc_connection * conn,struct rxkad_response * resp,const struct rxrpc_crypt * session_key)1052*4882a593Smuzhiyun static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1053*4882a593Smuzhiyun struct rxkad_response *resp,
1054*4882a593Smuzhiyun const struct rxrpc_crypt *session_key)
1055*4882a593Smuzhiyun {
1056*4882a593Smuzhiyun struct skcipher_request *req = rxkad_ci_req;
1057*4882a593Smuzhiyun struct scatterlist sg[1];
1058*4882a593Smuzhiyun struct rxrpc_crypt iv;
1059*4882a593Smuzhiyun
1060*4882a593Smuzhiyun _enter(",,%08x%08x",
1061*4882a593Smuzhiyun ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1062*4882a593Smuzhiyun
1063*4882a593Smuzhiyun mutex_lock(&rxkad_ci_mutex);
1064*4882a593Smuzhiyun if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1065*4882a593Smuzhiyun sizeof(*session_key)) < 0)
1066*4882a593Smuzhiyun BUG();
1067*4882a593Smuzhiyun
1068*4882a593Smuzhiyun memcpy(&iv, session_key, sizeof(iv));
1069*4882a593Smuzhiyun
1070*4882a593Smuzhiyun sg_init_table(sg, 1);
1071*4882a593Smuzhiyun sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1072*4882a593Smuzhiyun skcipher_request_set_sync_tfm(req, rxkad_ci);
1073*4882a593Smuzhiyun skcipher_request_set_callback(req, 0, NULL, NULL);
1074*4882a593Smuzhiyun skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1075*4882a593Smuzhiyun crypto_skcipher_decrypt(req);
1076*4882a593Smuzhiyun skcipher_request_zero(req);
1077*4882a593Smuzhiyun
1078*4882a593Smuzhiyun mutex_unlock(&rxkad_ci_mutex);
1079*4882a593Smuzhiyun
1080*4882a593Smuzhiyun _leave("");
1081*4882a593Smuzhiyun }
1082*4882a593Smuzhiyun
1083*4882a593Smuzhiyun /*
1084*4882a593Smuzhiyun * verify a response
1085*4882a593Smuzhiyun */
rxkad_verify_response(struct rxrpc_connection * conn,struct sk_buff * skb,u32 * _abort_code)1086*4882a593Smuzhiyun static int rxkad_verify_response(struct rxrpc_connection *conn,
1087*4882a593Smuzhiyun struct sk_buff *skb,
1088*4882a593Smuzhiyun u32 *_abort_code)
1089*4882a593Smuzhiyun {
1090*4882a593Smuzhiyun struct rxkad_response *response;
1091*4882a593Smuzhiyun struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1092*4882a593Smuzhiyun struct rxrpc_crypt session_key;
1093*4882a593Smuzhiyun const char *eproto;
1094*4882a593Smuzhiyun time64_t expiry;
1095*4882a593Smuzhiyun void *ticket;
1096*4882a593Smuzhiyun u32 abort_code, version, kvno, ticket_len, level;
1097*4882a593Smuzhiyun __be32 csum;
1098*4882a593Smuzhiyun int ret, i;
1099*4882a593Smuzhiyun
1100*4882a593Smuzhiyun _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1101*4882a593Smuzhiyun
1102*4882a593Smuzhiyun ret = -ENOMEM;
1103*4882a593Smuzhiyun response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1104*4882a593Smuzhiyun if (!response)
1105*4882a593Smuzhiyun goto temporary_error;
1106*4882a593Smuzhiyun
1107*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_short");
1108*4882a593Smuzhiyun abort_code = RXKADPACKETSHORT;
1109*4882a593Smuzhiyun if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1110*4882a593Smuzhiyun response, sizeof(*response)) < 0)
1111*4882a593Smuzhiyun goto protocol_error;
1112*4882a593Smuzhiyun if (!pskb_pull(skb, sizeof(*response)))
1113*4882a593Smuzhiyun BUG();
1114*4882a593Smuzhiyun
1115*4882a593Smuzhiyun version = ntohl(response->version);
1116*4882a593Smuzhiyun ticket_len = ntohl(response->ticket_len);
1117*4882a593Smuzhiyun kvno = ntohl(response->kvno);
1118*4882a593Smuzhiyun _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1119*4882a593Smuzhiyun sp->hdr.serial, version, kvno, ticket_len);
1120*4882a593Smuzhiyun
1121*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_ver");
1122*4882a593Smuzhiyun abort_code = RXKADINCONSISTENCY;
1123*4882a593Smuzhiyun if (version != RXKAD_VERSION)
1124*4882a593Smuzhiyun goto protocol_error;
1125*4882a593Smuzhiyun
1126*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_tktlen");
1127*4882a593Smuzhiyun abort_code = RXKADTICKETLEN;
1128*4882a593Smuzhiyun if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1129*4882a593Smuzhiyun goto protocol_error;
1130*4882a593Smuzhiyun
1131*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_unkkey");
1132*4882a593Smuzhiyun abort_code = RXKADUNKNOWNKEY;
1133*4882a593Smuzhiyun if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1134*4882a593Smuzhiyun goto protocol_error;
1135*4882a593Smuzhiyun
1136*4882a593Smuzhiyun /* extract the kerberos ticket and decrypt and decode it */
1137*4882a593Smuzhiyun ret = -ENOMEM;
1138*4882a593Smuzhiyun ticket = kmalloc(ticket_len, GFP_NOFS);
1139*4882a593Smuzhiyun if (!ticket)
1140*4882a593Smuzhiyun goto temporary_error_free_resp;
1141*4882a593Smuzhiyun
1142*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_tkt_short");
1143*4882a593Smuzhiyun abort_code = RXKADPACKETSHORT;
1144*4882a593Smuzhiyun if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1145*4882a593Smuzhiyun ticket, ticket_len) < 0)
1146*4882a593Smuzhiyun goto protocol_error_free;
1147*4882a593Smuzhiyun
1148*4882a593Smuzhiyun ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1149*4882a593Smuzhiyun &expiry, _abort_code);
1150*4882a593Smuzhiyun if (ret < 0)
1151*4882a593Smuzhiyun goto temporary_error_free_ticket;
1152*4882a593Smuzhiyun
1153*4882a593Smuzhiyun /* use the session key from inside the ticket to decrypt the
1154*4882a593Smuzhiyun * response */
1155*4882a593Smuzhiyun rxkad_decrypt_response(conn, response, &session_key);
1156*4882a593Smuzhiyun
1157*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_param");
1158*4882a593Smuzhiyun abort_code = RXKADSEALEDINCON;
1159*4882a593Smuzhiyun if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1160*4882a593Smuzhiyun goto protocol_error_free;
1161*4882a593Smuzhiyun if (ntohl(response->encrypted.cid) != conn->proto.cid)
1162*4882a593Smuzhiyun goto protocol_error_free;
1163*4882a593Smuzhiyun if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1164*4882a593Smuzhiyun goto protocol_error_free;
1165*4882a593Smuzhiyun csum = response->encrypted.checksum;
1166*4882a593Smuzhiyun response->encrypted.checksum = 0;
1167*4882a593Smuzhiyun rxkad_calc_response_checksum(response);
1168*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_csum");
1169*4882a593Smuzhiyun if (response->encrypted.checksum != csum)
1170*4882a593Smuzhiyun goto protocol_error_free;
1171*4882a593Smuzhiyun
1172*4882a593Smuzhiyun spin_lock(&conn->bundle->channel_lock);
1173*4882a593Smuzhiyun for (i = 0; i < RXRPC_MAXCALLS; i++) {
1174*4882a593Smuzhiyun struct rxrpc_call *call;
1175*4882a593Smuzhiyun u32 call_id = ntohl(response->encrypted.call_id[i]);
1176*4882a593Smuzhiyun
1177*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_callid");
1178*4882a593Smuzhiyun if (call_id > INT_MAX)
1179*4882a593Smuzhiyun goto protocol_error_unlock;
1180*4882a593Smuzhiyun
1181*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_callctr");
1182*4882a593Smuzhiyun if (call_id < conn->channels[i].call_counter)
1183*4882a593Smuzhiyun goto protocol_error_unlock;
1184*4882a593Smuzhiyun
1185*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_callst");
1186*4882a593Smuzhiyun if (call_id > conn->channels[i].call_counter) {
1187*4882a593Smuzhiyun call = rcu_dereference_protected(
1188*4882a593Smuzhiyun conn->channels[i].call,
1189*4882a593Smuzhiyun lockdep_is_held(&conn->bundle->channel_lock));
1190*4882a593Smuzhiyun if (call && call->state < RXRPC_CALL_COMPLETE)
1191*4882a593Smuzhiyun goto protocol_error_unlock;
1192*4882a593Smuzhiyun conn->channels[i].call_counter = call_id;
1193*4882a593Smuzhiyun }
1194*4882a593Smuzhiyun }
1195*4882a593Smuzhiyun spin_unlock(&conn->bundle->channel_lock);
1196*4882a593Smuzhiyun
1197*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_seq");
1198*4882a593Smuzhiyun abort_code = RXKADOUTOFSEQUENCE;
1199*4882a593Smuzhiyun if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
1200*4882a593Smuzhiyun goto protocol_error_free;
1201*4882a593Smuzhiyun
1202*4882a593Smuzhiyun eproto = tracepoint_string("rxkad_rsp_level");
1203*4882a593Smuzhiyun abort_code = RXKADLEVELFAIL;
1204*4882a593Smuzhiyun level = ntohl(response->encrypted.level);
1205*4882a593Smuzhiyun if (level > RXRPC_SECURITY_ENCRYPT)
1206*4882a593Smuzhiyun goto protocol_error_free;
1207*4882a593Smuzhiyun conn->params.security_level = level;
1208*4882a593Smuzhiyun
1209*4882a593Smuzhiyun /* create a key to hold the security data and expiration time - after
1210*4882a593Smuzhiyun * this the connection security can be handled in exactly the same way
1211*4882a593Smuzhiyun * as for a client connection */
1212*4882a593Smuzhiyun ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1213*4882a593Smuzhiyun if (ret < 0)
1214*4882a593Smuzhiyun goto temporary_error_free_ticket;
1215*4882a593Smuzhiyun
1216*4882a593Smuzhiyun kfree(ticket);
1217*4882a593Smuzhiyun kfree(response);
1218*4882a593Smuzhiyun _leave(" = 0");
1219*4882a593Smuzhiyun return 0;
1220*4882a593Smuzhiyun
1221*4882a593Smuzhiyun protocol_error_unlock:
1222*4882a593Smuzhiyun spin_unlock(&conn->bundle->channel_lock);
1223*4882a593Smuzhiyun protocol_error_free:
1224*4882a593Smuzhiyun kfree(ticket);
1225*4882a593Smuzhiyun protocol_error:
1226*4882a593Smuzhiyun kfree(response);
1227*4882a593Smuzhiyun trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1228*4882a593Smuzhiyun *_abort_code = abort_code;
1229*4882a593Smuzhiyun return -EPROTO;
1230*4882a593Smuzhiyun
1231*4882a593Smuzhiyun temporary_error_free_ticket:
1232*4882a593Smuzhiyun kfree(ticket);
1233*4882a593Smuzhiyun temporary_error_free_resp:
1234*4882a593Smuzhiyun kfree(response);
1235*4882a593Smuzhiyun temporary_error:
1236*4882a593Smuzhiyun /* Ignore the response packet if we got a temporary error such as
1237*4882a593Smuzhiyun * ENOMEM. We just want to send the challenge again. Note that we
1238*4882a593Smuzhiyun * also come out this way if the ticket decryption fails.
1239*4882a593Smuzhiyun */
1240*4882a593Smuzhiyun return ret;
1241*4882a593Smuzhiyun }
1242*4882a593Smuzhiyun
1243*4882a593Smuzhiyun /*
1244*4882a593Smuzhiyun * clear the connection security
1245*4882a593Smuzhiyun */
rxkad_clear(struct rxrpc_connection * conn)1246*4882a593Smuzhiyun static void rxkad_clear(struct rxrpc_connection *conn)
1247*4882a593Smuzhiyun {
1248*4882a593Smuzhiyun _enter("");
1249*4882a593Smuzhiyun
1250*4882a593Smuzhiyun if (conn->cipher)
1251*4882a593Smuzhiyun crypto_free_sync_skcipher(conn->cipher);
1252*4882a593Smuzhiyun }
1253*4882a593Smuzhiyun
1254*4882a593Smuzhiyun /*
1255*4882a593Smuzhiyun * Initialise the rxkad security service.
1256*4882a593Smuzhiyun */
rxkad_init(void)1257*4882a593Smuzhiyun static int rxkad_init(void)
1258*4882a593Smuzhiyun {
1259*4882a593Smuzhiyun struct crypto_sync_skcipher *tfm;
1260*4882a593Smuzhiyun struct skcipher_request *req;
1261*4882a593Smuzhiyun
1262*4882a593Smuzhiyun /* pin the cipher we need so that the crypto layer doesn't invoke
1263*4882a593Smuzhiyun * keventd to go get it */
1264*4882a593Smuzhiyun tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1265*4882a593Smuzhiyun if (IS_ERR(tfm))
1266*4882a593Smuzhiyun return PTR_ERR(tfm);
1267*4882a593Smuzhiyun
1268*4882a593Smuzhiyun req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1269*4882a593Smuzhiyun if (!req)
1270*4882a593Smuzhiyun goto nomem_tfm;
1271*4882a593Smuzhiyun
1272*4882a593Smuzhiyun rxkad_ci_req = req;
1273*4882a593Smuzhiyun rxkad_ci = tfm;
1274*4882a593Smuzhiyun return 0;
1275*4882a593Smuzhiyun
1276*4882a593Smuzhiyun nomem_tfm:
1277*4882a593Smuzhiyun crypto_free_sync_skcipher(tfm);
1278*4882a593Smuzhiyun return -ENOMEM;
1279*4882a593Smuzhiyun }
1280*4882a593Smuzhiyun
1281*4882a593Smuzhiyun /*
1282*4882a593Smuzhiyun * Clean up the rxkad security service.
1283*4882a593Smuzhiyun */
rxkad_exit(void)1284*4882a593Smuzhiyun static void rxkad_exit(void)
1285*4882a593Smuzhiyun {
1286*4882a593Smuzhiyun crypto_free_sync_skcipher(rxkad_ci);
1287*4882a593Smuzhiyun skcipher_request_free(rxkad_ci_req);
1288*4882a593Smuzhiyun }
1289*4882a593Smuzhiyun
1290*4882a593Smuzhiyun /*
1291*4882a593Smuzhiyun * RxRPC Kerberos-based security
1292*4882a593Smuzhiyun */
1293*4882a593Smuzhiyun const struct rxrpc_security rxkad = {
1294*4882a593Smuzhiyun .name = "rxkad",
1295*4882a593Smuzhiyun .security_index = RXRPC_SECURITY_RXKAD,
1296*4882a593Smuzhiyun .no_key_abort = RXKADUNKNOWNKEY,
1297*4882a593Smuzhiyun .init = rxkad_init,
1298*4882a593Smuzhiyun .exit = rxkad_exit,
1299*4882a593Smuzhiyun .init_connection_security = rxkad_init_connection_security,
1300*4882a593Smuzhiyun .prime_packet_security = rxkad_prime_packet_security,
1301*4882a593Smuzhiyun .secure_packet = rxkad_secure_packet,
1302*4882a593Smuzhiyun .verify_packet = rxkad_verify_packet,
1303*4882a593Smuzhiyun .free_call_crypto = rxkad_free_call_crypto,
1304*4882a593Smuzhiyun .locate_data = rxkad_locate_data,
1305*4882a593Smuzhiyun .issue_challenge = rxkad_issue_challenge,
1306*4882a593Smuzhiyun .respond_to_challenge = rxkad_respond_to_challenge,
1307*4882a593Smuzhiyun .verify_response = rxkad_verify_response,
1308*4882a593Smuzhiyun .clear = rxkad_clear,
1309*4882a593Smuzhiyun };
1310